Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm developing a game with online mode, but it's opensource (SourceForge) and anyone can download the code, hack any checks and play against the official server with a hacked client.
I've been thinking about EXE file md5 checking, but anyone can calculate the genuine md5sum and send it to the server, bypassing that runtime check.
Is there any method to assure that the client is not modified? I know I must use server side checks because everything can be hacked. Other option is not committing some little part of the code and release EXE files compiled only in my computer, having all the files, but that goes against SourceForge rules I think.
As you stated, you need to check everything on the server.
Regardless of whether you release source code (remember Reflector!), you must never trust the client for anything (including its own integrity).
Note, however, that (ideally) you don't need to make cheating impossible; you just need to make it harder to accomplish a task by cheating than it is to accomplish that task legitimately.
Rational people will not cheat to accomplish something if they can do it more easily without cheating.
However, some people will cheat for the challenge of the hack, even if it's harder than doing it normally.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've got a web app where I use plain file system for my custom logs - a lot of small files, I don't want to put that into db, that works for me quite well. But now I need to scale my app by using a load balancer in front, so I also need to keep those logs in sync between servers. Is there any reliable solution for such cases ? I know I could sync it by some OS means, or by scripting, but I'm thinking if there is any better solution for such scenarios? Is it the case for MongoDB usage or something more modern or is it better to keep it on file system as plain files ?
This questions is going to get you some heat since essentially your asking for our opinion. Ill be frank tho and wont argue with anyone since its just MY opinion. With web apps in my humble opinion, its always better to keep your data in a DB for scalability but also for analytical research. I know little about what your app does but its easier to write third party data apps that tell you how many of X or Y etc when its centrally stored in a DB. Since the app that gets said data can be anywhere. I know I probably wasted time with an argument but hey, hope I helped a bit.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Dont get me wrong people, let me clarify.
I would like to ask if I can trust node.js. I know its an amazing tool. But its a really young platform, to be honest. Should I start playing around with it (production, not just experimental use), or should I wait till it "grows up"?
Does it work fine on Windows? Because at the beginig it was not supported. Are there any stress tests that actually prove that its safe and can be trusted?
It demands to write a lot of code by hand, stuff that in other platforms are done by just one line of code. I know you are gonna say to me "that depends on your experience" . I agree, but does it worth "learning" node? What if its developing stops? Again, I'm only asking because its pretty young.
What of node's add-ons and modules are to be trusted about their safety/stability? There are so many out there.
Is it stable? And finally, what about node's interoperability? Does it work on every platform/browser? What about smartphones and mobile devices?
Again, dont get me wrong, I am not critisizing. I am just concerned because its pretty new, everybody is excited and I haven't see any cons, or safety/stability issues around.
Thanks
I don't understand why would anyone choose to use node.js to do backend: the statically typed code is easier to maintain and Javascript is not the best (a good?) language.
That said, there are situations, where it makes a lot of sense to have the same code running in the browser and in the back end. When you run into one of these, you will know. And then Node works just fine. We've had it in production for months exposing its functionality as an internal web service to our back end application and haven't had any problems with it.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
We are looking for any browser based file upload solution, commercial or free, that manages to survive internet connection interruptions and continues the upload process once the connection is re-established.
The scenario: a website used in areas where the users experience very unstable internet connections and yet need to upload files up to 3 MB (which sounds low but can really be a problem).
There are various jQuery and Flash based solutions around, like CuteUpload, Ajax Uploader and so on, but none of them has so far implemented a mechanism that helps in such a scenario. I am aware that the http protocol does not handle connection resets in a way that allows continuing a post.
A solution is conceivable if the client software knows how much has been uploaded already and is able to slice the upload into chunks while the server-side is smart enough to glue them back together. Or if client and server agree on chunk sizes beforehand, enumerate them, keep the session open and make sure every little piece get shipped. Possible, but probably not easy to write. We are working on .NET, but the server platform doesn't really matter.
Does anyone have a hint where to look?
there are no really popular or well known solutions for this problem. And I really hope that future versions of HTML will support this out-of-the-box.
But for now you can look at http://upload.thinfile.com/upload/thin.php which is a paid tool but you can try the demo for free.
Also, in the rails world, there is a FOSS gem https://github.com/stakach/Resumable-Uploads.
The method / approach they use is quite sound and cross browser compatible.
Also, don't look for "internet connection interruptions" look for "resumable file uploads" when googling :)
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I am attempting to automate committing some files to SVN during our automated build process. Hudson does not have a tool (that works) to do this simply. I found Plugin to commit hudson build artifact which shows a second example using a simple command. The difficulty is now on obfuscating the credentials supplied.
I didn't really like the idea of building my batch into an exe -- it seemed a bit too bulky and not able to change. I was racking my brain for other ideas and coworker and I came up with this:
Create a new user in SVN with no privileges. I've called this user 'hudson'
Give hudson only the ability to read/commit to the one project in question. It cannot delete.
Use username/password unobfuscated. :x
Now, accessing our Hudson build server requires authentication. So, there is at least one level of implied authentication before being able to hit the unobfuscated password. If a malicious user had the ability to see this unobfuscated password then it is implicit that they have more privileges than having the unobfuscated password would grant them. Does that make sense? Is this sound? I feel really dirty for doing this, but I can't think of a simpler way to do it.
In the broadest terms, this is not a problem. However, there are several things you can do to improve it.
The password in question should be long and random. It's only used by a program; why should it be easy to read?
I generally apply small obfuscations to such password, particularly if they are not long and random for some reason (such as them being also used by humans). The reason is to prevent someone looking over my shoulder from suddenly knowing the password. Mild screening is useful anytime you're going to put a password in a script.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Generally speaking.
How do a project manager evaluate and track the security issue for a project? Or is there any online resource that I can use as a reference ?
I would say that you would track this like everything else you track on your project.
Make sure that there is an architecture and project requirement review -- go though all aspect of the architecture and design and document any issues and questions as you go along. Depending on your application, it may include securing external communication and communication between different parts of the application, and understand any possibilities for malicious user input. If your application store any data, review what data is stored, and ask "what would happen if the data was lost or leaked". Understand how all sensitive data store is encrypted, and make sure that user passwords are never stored (store a oneway hash instead). Review how/if any encryption keys can be rotated, so that loss/leak of key does not mean compromise of security.
Document all issues and questions found in your favorite bug tracking and task management tool, even if just as reminder to get back and inspect actual implementation.
I think you add them as 'risks' or 'tasks' in your ALM system, depending on which phase you are current in with respect to your project.
How to evaluate security issues is usually deferred first to Devs or IT Profs depending on the nature and then reported back to the PM for review.